Field of the Invention
The present invention relates in general to the field of information handling system security, and more particularly to information handling system multi-security system management.
Description of the Related Art
As the value and use of information continues to increase, individuals and businesses seek additional ways to process and store information. One option available to users is information handling systems. An information handling system generally processes, compiles, stores, and/or communicates information or data for business, personal, or other purposes thereby allowing users to take advantage of the value of the information. Because technology and information handling needs and requirements vary between different users or applications, information handling systems may also vary regarding what information is handled, how the information is handled, how much information is processed, stored, or communicated, and how quickly and efficiently the information may be processed, stored, or communicated. The variations in information handling systems allow for information handling systems to be general or configured for a specific user or specific use such as financial transaction processing, airline reservations, enterprise data storage, or global communications. In addition, information handling systems may include a variety of hardware and software components that may be configured to process, store, and communicate information and may include one or more computer systems, data storage systems, and networking systems.
Information handling systems often store and have access to sensitive information of individuals and enterprises, such as financial information and personal identification information. To protect sensitive information, information handling systems often include security measures with password protection. For example, an operating system typically includes a password that an end user must enter before using an information handling system. Once the operating system receives the password, the end user typically has full access to operating system functions and information accessible by the operating system for a limited time period. For instance, a screen saver with password protection will assert after 5 to 15 minutes of inactivity at the information handling system. After assertion of the screen saver, the end user typically must input the password again to access the operating system.
Although password protection at an operating system level reduces the risk of unauthorized access to an information handling system, it does not guarantee protection of underlying information stored on the information handling system, such as on persistent storage devices like the hard disk drive or solid state drive. In some instances, the basic input/output system (BIOS) manages password protection to access the persistent storage device. In addition, particular information within persistent storage often has separate password protection, such as through a particular application that runs over the operating system. To the extent that the password accesses are managed over the operating system, the operating system itself remains a weak link available for attack by hackers. In some instances, the many different layers of security create end user confusion and disinterest in using password protection. For example, an end user who feels adequately protected by an operating system password may elect not to use other types of access protection or security measures. As another example, end users may elect simple passwords to help remember multiple different passwords where the simple passwords are typically easier to hack.
One additional security measure that helps to secure information in persistent storage is pre-boot security. Pre-boot security uses a password to protect persistent storage devices by encrypting the stored information. In order to boot an information handling system that has pre-boot security, the BIOS typically receives a password and then applies the password to decrypt the operating system on the persistent storage and allow boot. After the operating system boots, the operating system password protection is typically presented so the end user can access the operating system and information controlled by the operating system. Generally, in a pre-boot scenario, security concerns limit the communication of security credentials between the pre-boot operating system and the primary operating system so that a compromised primary operating system will not provide an avenue for hacking of the pre-boot security measures. As a result, pre-boot applications that execute on the pre-boot operating system are typically limited to support of MSA or web-based authentication and unable to support local primary operating system accounts.
The use of multiple security systems at an information handling system tends to create complexity, especially in a desktop environment where the information handling system relies upon external peripherals, such as a horizontal display that acts as an input device. For example, a horizontal display rests on a desktop to provide visual images and a touchscreen that accepts end user inputs. In some environments, the horizontal display integrates processing components that operate as a separate information handling system with its own operating system and, in some cases, its own pre-boot security. Pre-boot security often relies upon hardware integrated with the information handling system that operates independent of the operating system, such as a finger print scanner. As an end user interacts with a multi-system multi-peripheral environment, information handling system operating system security timeouts may intermittently lock out display presentations resulting in the end user attempting to sign into different devices at different intervals with different passwords. Further complication is involved where the information handling systems and related devices include their own multiple levels of security and network interfaces.